This topic has 5 replies, 3 voices, and was last updated 6 years, 1 month ago by rohajda.

  • Author
  • #12665

    The OpenIDC standard claims doesn’t include group memberships or roles. So I try to create a custom OIDC Claim groovy script to add a custom claim.

    My user data store is Active Directory, with proper configuration, the group memberships are displayed in the group tab of “Subject” section of the realm.

    However, in the custom OIDC claim script, try to use identity.getMemberships(IdType.GROUP) got an error “javax.script.ScriptException: java.lang.SecurityException: Access to Java class \”com.sun.identity.idm.IdType\” is prohibited.”

    Is there a way to allow this class to script engine?


     Peter Major

    Go to Configuration – Global – Scripting select your script type and you should be able to control the whitelist there.


    Thanks, @peter-major. Works without bounce the server.


    @wshen could you share your modified OIDC Claim groovy script? I am trying to achieve same but no luck.

    Thanks in advance



    I created a custom claim block inside “claimAttributes” array:

    "roles": { claim, identity, requested ->
      identity.getMemberships(IdType.GROUP).collect { group -> 'ROLE_' + }

    Make sure add import com.sun.identity.idm.IdType at top of script.


    @wshen thanks a lot, it is working great.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?